The United States District Court for the District of Maryland recently held that an insurer must cover an insured’s costs to replace its computer systems following a ransomware attack. The case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, Civ. No. SAG-18-2138 (D. Md. January 23, 2020), contains lessons for business and insurance companies going forward.

Plaintiff, an embroidery and screen printing business, obtained a businessowner’s insurance policy from the defendant, State Auto. The policy provided that State Auto “will pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss. The policy defined “covered Property” to include “Electronic Media and Records (Including Software).” It further defined “Electronic Media and Records” to include “electronic data processing, recording or storage media [and] data stored on such media.” 
Continue Reading Maryland Court Orders Insurance Company to Pay Ransomware Damages Under Businessowner’s Policy

Recent ransomware attacks illustrate the importance of compliance with the HIPAA required and addressable security standards. In its December 2, 2019 Fall 2019 Cybersecurity Newsletter, the Office of Civil Rights (OCR) discussed ransomware attacks and ways to recognize, prevent, mitigate and recover from an attack.

HIPAA requires both covered entities and business associates to conduct a risk analysis of the potential risks and vulnerabilities to the security of electronic Protected Health Information (ePHI) and to implement a corrective action plan to eliminate or reduce those risks and vulnerabilities. According to the OCR, these risk analyses are critical to preventing ransomware attacks because ransomware takes advantage of technical vulnerabilities. HIPAA also requires an effective procedure for information system activity review. This enables the covered entity or business associate to identify unusual activity and quickly identify an attack. The information system review should include procedures, such as audit logs, incident and breach tracking reports, and reports on system access. 
Continue Reading Cybersecurity Attacks: The Importance of Compliance With the Standards

Sophisticated cyber crimes have been of great interest in the insurance world for the past decade, but relatively low-tech schemes are also a risk to policyholders and to insurers. Tricking an employee to transfer funds to an unauthorized account is a scam that existed prior to wide-spread use of email and the Internet. For example, the fraudster calls the bank employee, pretending to be his supervisor, authorizing a payment to be made ASAP, or a seller provides “updated” information for a wire transfer at a real estate closing, and the title company sends the funds to the wrong account. More recently, perpetrators of these types of social engineering tricks have made use of email to deliver fake payment instructions, and have infiltrated company or employee accounts to obtain necessary credentials or to create the impression of authority. Depending on the facts of a claim and the terms of specific insurance contracts, policyholders who are the victims of such scams may seek coverage under cyber liability policies or under traditional lines such as crime / fidelity and general liability. 
Continue Reading Policyholder Win Under Crime Policy for Social Engineering Scam

Hackers delight in targeting U.S. companies during the holiday season triggering a year-end spike in cyber-attacks, with Carbon Black reporting a 57.5 percent increase in attempted cyber-attacks during past holiday seasons. This year we can expect that threat actors across the globe will remain online throughout the holiday season, looking to capitalize on the distraction of the holidays and the increased internet traffic that comes with online holiday shopping.

Accordingly, now, more than ever, companies should remain alert to the possibility of a cyber-attack on their information systems, especially ransomware attacks, which have more than doubled this year alone according to McAfee Labs. The FBI has also gone so far as to issue a private bulletin to automotive companies warning of “a wide range of cyber threats and malicious activity in the near future,” according to an FBI report obtained by CNN. The FBI indicates that cyber-attacks “have resulted in ransomware infections, data breaches leading to the exfiltration of personally identifiable information, and unauthorized access to enterprise networks.” 
Continue Reading ‘Tis the Season to Be on Heightened Alert: FBI Warns of Targeted Cyber Attacks

In February of this year, the Securities Exchange Commission issued its updated Statement and Guidance on Public Company Cybersecurity Disclosures.  In April, the SEC issued an Order that, among other things, levied a $35 million fine against Yahoo! Inc. for failing to properly report a 2014 data breach.  These actions support the view that the SEC is consciously committing attention and resources to cybersecurity issues affecting public companies.

Here are some key takeaways from both the Guidance and from the Yahoo! Order: 
Continue Reading SEC Takes Aim at Cybersecurity Disclosures

Congress’ 2,000-page Omnibus Spending Bill slipped in a trap for the unwary: a radical expansion of the reach of the Stored Communications Act, 18 USC §§ 2701-2712. The “Clarifying Overseas Use of Data Act,” aptly shorthanded as the CLOUD Act, successfully mooted the issue presented in the United States v. Microsoft Corp. case recently dismissed by the United States Supreme Court by instituting a new framework for cross-border discovery in criminal actions. Under the previous version of the Stored Communications Act (SCA), it was necessary to have a Mutual Legal Assistance Treaty (MLAT), essentially a treaty negotiated by a foreign nation and ratified by the Senate. The CLOUD Act, passed on March 23, 2018, allows authorities to bypass MLATs and gives law enforcement the ability to directly compel production of materials by a party storing its data abroad, as well as allowing foreign governments to access data stored in the U.S. 
Continue Reading A Storm Cloud on the Cross-Border Discovery Horizon

In 2017, the Cayman Islands passed the Data Protection Law (“DPL”), which reads much like the upcoming European Union General Data Protection Regulation (“GDPR”) that goes into effect Mary 25, 2018. The DPL applies to entities falling within the definition of “data controller” who are established in the Islands or who process data in the Islands. The DPL divides data into two categories, personal data and sensitive data. Certain information is exempt from the application of the DPL, such as data processed in connection with a corporate finance service.[1] The DPL gives individuals the right to access their information, object to processing, and the right to request their information be corrected or erased.


Continue Reading Cayman Islands Seek to Supplement Its Data Protection Law

In light of the increasing significance of cybersecurity incidents, the Securities and Exchange Commission (SEC) recently found it necessary to provide further guidance with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies. On February 21, 2018, the SEC issued interpretive guidance on the cybersecurity disclosures of public companies through a Commission Statement and Guidance on Public Company Cybersecurity Disclosures (2018 Guidance). In its 2018 Guidance, the SEC emphasized the importance of disclosing material cybersecurity risks, even in cases where a company has not yet suffered a cyberattack. According to the SEC, public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a fulsome and timely fashion.

The 2018 Guidance expands the SEC’s 2011 guidance on cybersecurity disclosure obligations and highlights a public company’s disclosure requirements when considering their disclosure obligations surrounding cybersecurity risks and incidents. It also addresses the importance of cybersecurity policies and procedures related to disclosure controls and procedures and reminds companies of their obligation to prohibit insider trading on materially non-public information about threats and incidents.
Continue Reading SEC Ratchets Up Cybersecurity Disclosure Requirements

U.S. Regulator Warns of “Evidence” of Global Cyber Assault Occurring Inside the U.S. and Steps Your Company Should Take Against a Ransomware Attack 

On Friday, May 12, 2017, Laura Wolf, Critical Infrastructure Protection Lead of the Department of Health and Human Services (HHS) issued a notification stating that:
Continue Reading ALERT: Ransomware – a Global Wake-Up Call